Why Did Federal Agencies See Fewer Breaches in 2018?

The White House issued the cybersecurity report this week. (Photo: The White House via Flickr/CC)

In 2018, federal agencies did not sustain a "major" data breach that affected more than 100,000 individuals or caused "demonstrable harm" to the government, national security, foreign relations or the economy, according to a new White House report. And the total number of incidents declined 12 percent.

The report notes, however, that federal agencies remain susceptible to cyberattacks and more risk mitigation work is needed. "The federal government must continue to act to reduce the impact that cybersecurity incidents have on the federal enterprises," the report states.

Meanwhile, some security experts warn that attackers may have shifted to target local and state agencies and government contractors, rather than federal agencies.

OMB Report's Findings

The report prepared by the U.S. Office of Budget and Management, which was released by the White House this week, found that federal agencies experienced 31,000 "cyber incidents" in 2018, a 12 percent decline from 2017. Federal agencies sustained five "major" data breaches in 2017, according to the report.

Cybersecurity Spending

In 2018, the federal government spent nearly $15 billion on cybersecurity, with agencies such as the U.S. Defense Department ($8 billion), and the Department of Homeland Security ($1 billion), spending the most, the report shows. That spending total, however, does not include classified cybersecurity spending within agencies such as the CIA and the National Security Agency.

The report notes that all agencies have started to increase their cyber awareness and have adopted new tools, such as frameworks to increase the use of threat intelligence and to help prioritize where money is spent on specific cybersecurity initiatives.

More federal agencies also are taking advantage of the National Cybersecurity Protection System, which includes the U.S. government's intrusion detection and prevention program known as Einstein, according to the report.

New Targets?

While that might help explain some of the decrease in cyber incidents at federal agencies last year, another factor could be that attackers have started to focus their attention on other targets, says Terence Jackson, CISO of the security firm Thycotic Software.

"One reason for the drop is due to attackers focusing on local and state agencies, which have been an easier target to infiltrate," Jackson tells Information Security Media Group. "There have also been successful attacks leveraged against government contractors. The malicious actors are targeting the weaker links in the supply chain."

Gee Yoo, the CEO of threat intelligence firm Resecurity, agrees that ransomware is an increasing threat to governments at all levels, with these types of attacks gaining in sophistication and the amount of damage that they can cause.

"We are seeing growth in ransomware attacks on government sectors, some of them includes previously unknown attack vectors and zero-day vulnerabilities in supply chain or system or application components," Yoo says.

Federal agencies have been investing in continuous monitoring as well as continuous diagnostic and mitigation programs to help mitigate cyber risks, says Sean Finnegan, vice president of federal services at cyber risk management firm Coalfire.

But Finnegan warns that attackers could switch methods and use more targeted and stealthier campaigns. He also notes that voting systems remain tempting target as well.

"The attack tactics, techniques and procedures are evolving; it is always possible we could see significant exploit events soon," he says. "Federal agencies must remain focused on proactive measures while both government and the industry identify innovative and cost-effective methods to thwart attacks."

Phishing Remains a Concern

The Office of Budget and Management report found that federal agencies continue to be targeted by phishing attacks as well as social engineering schemes. Over 6,900 cyber incidents in 2018 involved phishing, the report notes, calling for the use of better training and technology to mitigate that risk.

" By implementing specific security standards that have been widely adopted in industry, DHS [Department of Homeland Security] determined that the federal enterprise as a whole could enhance the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to phishing emails seemingly from government-owned system," the report states.

In addition to phishing attacks, the report notes that unauthorized access to government IT systems by employees is another concern, with over 9,600 incidents in 2018.

About the Author

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at IDG, Business Standard, Bangalore Mirror and The New Indian Express, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;